We Can't Afford Even One E-Voting Morris Worm

from the catastrophic-failure dept

Over at CNet, Declan McCullagh has an interview with probably the most prominent computer scientist who supports paperless e-voting, Michael Shamos. In a wide-ranging discussion, Shamos acknowledges that e-voting isn't perfect but insists that every voting system has its flaws, and that e-voting can be made to work better than either paper ballots or touch-screen machines with paper trails (which he points out tend to jam a lot). Mike already pointed out some problems with Shamos's analysis, and you can check out Dan Wallach's post for a comprehensive rebuttal. But I found one of Shamos's comments particularly striking. He says:

Remember Robert Tappan Morris and the Internet worm? I would get worried if we start to see systematic evidence (of increasingly robust) attacks. But we've never seen any of those.

Shamos is referring to probably the most famous malware attack in the history of the Internet. In 1988, a grad student named Robert Morris created a worm that infected hundreds, if not thousands, of computers across the Internet. It was by far the most damaging Internet worm up until that time, and as a proportion of all hosts on the Internet, probably still ranks among the most successful worms in Internet history. The important point for our purposes is that nobody saw the Morris worm coming. The security vulnerabilities exploited by the Morris worm were known ahead of time, but few people other than the worm's author realized their seriousness.

Of course, once the Morris worm brought the Internet grinding to a halt for several days, everyone became acutely aware of the importance of security, and so they quickly fixed the bugs Morris had exploited. And luckily, at this point the Internet was still a relatively small, academic network, so while it cost millions of dollars of work to clean up the mess, no irreparable damage was done. But there wasn't a series of "increasingly robust" attacks leading up to the Morris worm that could have provided fair warning to Internet users of the day. The Morris Worm was a lot more sophisticated and successful than anything that had come before it. And by the same token, there's no reason to think that the bad guys will give us some advance warning by incompetently trying to steal a few city council seats before they disrupt a presidential election. If we continue to vote on insecure e-voting machines, we run the risk that our first clue that something is wrong will be when the voting machines in a key swing state "malfunction," throwing the presidential election into turmoil. I don't think we can afford to take that risk.

Reader Comments

Lessons not learned

It's been nearly twenty years since I was awakened by a panicked call from Purdue University's Computing Center operations staff telling me "all the VAXes are down", because that's how it looked at first blush. What followed was a fairly good reality check and a substantial amount of panic as it was realized that this problem extended across the campus and beyond. We were lucky: my colleague Kevin Braunsdorf and I figured out a one-line fix that blocked the worm from propagating, and of course it turned out that it didn't include malicious, data-destroying code.

Fast-forward to today and it becomes clear that NONE of the vendors or backers of computerized voting systems have absorbed the lesson -- or if they have, their knowledge has been overruled by their profit motive. As Schneier's brilliant economic analysis has shown, the budget available to an attacker going after the US Presidential election should be presumed to be on the order to $100 million. That's easily enough to subvert these systems using a Morris-worm-ish technique albeit with considerably more subtlety so that it's not nearly as easy to detect.

Moreover, the continued refusal by voting system vendors to publish all source code, all hardware design documents, etc. and submit them for public inspection means that the pool of people with access to this information is severely limited. Worse, it's limited to the same people who are known to be designing, building, and deploying buggy, insecure systems, thus the people least likely to detect an issue similar to the Morris worm.

We need to go back to pencil and paper ASAP. (Yes, pencil and paper systems have their issues, too, but they're vastly better-understood and they have the highly desirable property that they're much more difficult to subvert en masse, which largely prevents large-scale fraud.)